1. Technical Field
This disclosure relates generally to security policy and compliance management for information technology (IT) systems.
2. Background of the Related Art
Information security is the process of providing a set of controls to manage risk with an end goal of demonstrating compliance with a set of regulations. Security policies specify how a set of controls operate and therefore to what extent risk may be capable of being managed.
Identity management (IdM) systems manage the life cycle of users and their accounts across a number of managed systems, such as directories, databases, operating systems and enterprise applications. Some IdM systems provide a mechanism for comparing the state of user accounts on managed systems and, in particular, comparing them to their last recorded state. This process, sometimes referred to as reconciliation, is used to enable policy-based user provisioning and compliance checking.
Known implementations for reconciling identity information, such as exist in commercial products such as IBM® Tivoli® Identity Manager™, usually involve reading a large set of user account data from a managed system and sending the data set to the IdM server periodically. In a typical example, such as where the managed system is Microsoft® Active Directory™, the IdM may be configured to retrieve all account information, say, every day, or every week. This retrieval process causes a significant degradation in the performance of the Information Technology (IT) system whose accounts are being managed by that directory. This problem leads organizations to schedule reconciliations less frequently than often is necessary or desirable, thus increasing the risk of undetected security violations such as unauthorized entitlements or access.
Therefore, there is a need in the art to enhance reconciliation mechanisms to allow non-compliant accounts to be detected at the earliest possible opportunity. The subject matter of this disclosure addresses this need.